Difference between revisions of "Cloud"
(→Hacksburg Network Layout) |
(→Hacksburg Network Layout) |
||
(14 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | Ever wanted to learn about cloud computing, but were worried about monthly costs confusing product options? | + | Ever wanted to learn about cloud computing, but were worried about monthly costs or confusing product options? |
Wanted something new to learn that's stay-at-home compatible? | Wanted something new to learn that's stay-at-home compatible? | ||
Line 9: | Line 9: | ||
** 2 cores, 6GiB RAM, 64GiB hard drive space | ** 2 cores, 6GiB RAM, 64GiB hard drive space | ||
** Private IP address on Hacksburg's network. Laptops, Raspberry Pis, etc. can all communicate directly with each other. | ** Private IP address on Hacksburg's network. Laptops, Raspberry Pis, etc. can all communicate directly with each other. | ||
+ | ** Public IPv6, so anyone on the Internet can connect to your server (subject to our firewall rules). | ||
** Gigabit Internet connection | ** Gigabit Internet connection | ||
** *.<name>.cloud.hacksburg.org DNS wildcard | ** *.<name>.cloud.hacksburg.org DNS wildcard | ||
Line 17: | Line 18: | ||
* VPN | * VPN | ||
** Access your projects on Hacksburg's network from anywhere. | ** Access your projects on Hacksburg's network from anywhere. | ||
+ | |||
+ | Hacksburg wants all members to explore computational projects using our resources. If there's something you think we can offer that isn't shown here, come to an open meeting or email board@hacksburg.org to discuss. | ||
+ | |||
+ | == Want access? == | ||
+ | |||
+ | * To get a virtual machine, make sure you're an active Hacksburg member, then email board@hacksburg.org | ||
+ | ** VPN access will only be given if you are a board member, have a VM, or have some other reason. Email board@hackburg.org to request VPN access. | ||
== Hacksburg Physical Hardware == | == Hacksburg Physical Hardware == | ||
Line 62: | Line 70: | ||
**** https://video.hacksburg.org | **** https://video.hacksburg.org | ||
**** Hosts recordings of our classes | **** Hosts recordings of our classes | ||
+ | *** [https://snipeitapp.com/ Snipe-It] | ||
+ | **** https://assets.hacksburg.org | ||
+ | **** Asset Management System for keeping tracks of tools, equipment, maintenance of equipment, etc. | ||
* OctoPrint | * OctoPrint | ||
** Control interface for our 3D printer. | ** Control interface for our 3D printer. | ||
** How to access: https://printer.hacksburg.org | ** How to access: https://printer.hacksburg.org | ||
** Where it's located: 192.168.15.4 | ** Where it's located: 192.168.15.4 | ||
+ | |||
+ | == VPN == | ||
+ | |||
+ | VPN allows direct access to the Hacksburg network from anywhere else that has access to the public Internet. Email board@hacksburg.org to get your username and password. | ||
+ | |||
+ | === Connection Instructions === | ||
+ | ==== Windows 10 ==== | ||
+ | ''These instructions may also work for Windows 8.1, 7, Vista, etc.'' | ||
+ | |||
+ | 1. Download the Hacksburg certificate: http://hacksburg.org/Hacksburg+CA.crt. | ||
+ | |||
+ | 2. Right-click and choose "Install certificate". | ||
+ | |||
+ | 3. Choose "Local Machine" (second option) and click Next. | ||
+ | |||
+ | 4. Choose "Place all certificates in the following store" (second option). | ||
+ | |||
+ | 5. In the window that comes up, choose "Trusted Root Certification Authorities" (second option). Click OK. | ||
+ | |||
+ | 6. Click Next. | ||
+ | |||
+ | 7. Click Finish. | ||
+ | |||
+ | 8. It should say that importing the certificate was successful. Click OK. | ||
+ | |||
+ | 9. Open an administrator PowerShell and run the following commands: | ||
+ | |||
+ | Add-VpnConnection -Name "Hacksburg" -ServerAddress "cloud.hacksburg.org" –TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling –AllUserConnection | ||
+ | Add-VpnConnectionRoute -ConnectionName "Hacksburg" -DestinationPrefix 192.168.15.0/24 -PassThru -AllUserConnection | ||
+ | Add-VpnConnectionRoute -ConnectionName "Hacksburg" -DestinationPrefix 192.168.17.0/24 -PassThru -AllUserConnection | ||
+ | Add-VpnConnectionRoute -ConnectionName "Hacksburg" -DestinationPrefix 192.168.18.0/24 -PassThru -AllUserConnection | ||
+ | |||
+ | You should now have a VPN named Hacksburg. Click the network icon in taskbar tray, click Hacksburg, and connect with the provided username and password. | ||
+ | |||
+ | ==== Linux (and friends) ==== | ||
+ | ===== Setup ===== | ||
+ | Install <code>strongswan</code>. If you use NetworkManager (Ubuntu), you can use these instructions [https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup#NetworkManager] and fill in the following values: | ||
+ | |||
+ | VPN Server IP: 216.252.204.76 | ||
+ | |||
+ | VPN Username: Email board@hacksburg.org to request | ||
+ | |||
+ | VPN Password: Email board@hacksburg.org to request | ||
+ | |||
+ | |||
+ | If you do not use NetworkManager, add the following rows to your <code>ipsec.conf</code> file. On Arch Linux, this file is located at <code>/etc/ipsec.conf</code>: | ||
+ | |||
+ | conn Hacksburg | ||
+ | keyexchange=ikev2 | ||
+ | dpdaction=clear | ||
+ | dpddelay=30s | ||
+ | eap_identity="<USERNAME>" | ||
+ | leftauth=eap-mschapv2 | ||
+ | left=%defaultroute | ||
+ | leftsourceip=%config | ||
+ | right=cloud.hacksburg.org | ||
+ | rightauth=pubkey | ||
+ | rightsubnet=0.0.0.0/0 | ||
+ | rightid=%any | ||
+ | rightca=<CACERT> | ||
+ | type=tunnel | ||
+ | auto=add | ||
+ | |||
+ | Where <code><CACERT></code> is replaced by the path to this file: http://hacksburg.org/Hacksburg+CA.crt and <code><USERNAME></code> is replaced by the username issued to you by emailing board@hacksburg.org. Then, create the file <code>/etc/ipsec.secrets</code> and include the following line: | ||
+ | |||
+ | <USERNAME> : EAP "<PASSWORD>" | ||
+ | |||
+ | Where the username and password are issued to you by emailing board@hacksburg.org. Then, run | ||
+ | |||
+ | # ipsec auto --add Hacksburg | ||
+ | |||
+ | Then, make sure <code>/etc/xl2tpd/xl2tpd.conf</code> has the following contents: | ||
+ | |||
+ | lac Hacksburg] | ||
+ | lns = 216.252.204.76 | ||
+ | ppp debug = yes | ||
+ | pppoptfile = /etc/ppp/options.l2tpd.client | ||
+ | length bit = yes | ||
+ | |||
+ | And <code>/etc/ppp/options.l2tpd.client</code> has the following contents: | ||
+ | |||
+ | ipcp-accept-local | ||
+ | ipcp-accept-remote | ||
+ | refuse-eap | ||
+ | require-mschap-v2 | ||
+ | noccp | ||
+ | noauth | ||
+ | idle 1800 | ||
+ | mtu 1410 | ||
+ | mru 1410 | ||
+ | defaultroute | ||
+ | usepeerdns | ||
+ | debug | ||
+ | connect-delay 5000 | ||
+ | name <USERNAME> | ||
+ | password <PASSWORD> | ||
+ | |||
+ | Again using the username and password you received from the board. | ||
+ | |||
+ | ===== Start VPN ===== | ||
+ | |||
+ | You can start the VPN by running: | ||
+ | |||
+ | # systemctl start strongswan | ||
+ | # swanctl -i -c Hacksburg | ||
+ | |||
+ | == Software Tools == | ||
+ | |||
+ | You can remote in to Hacksblade to use SprutCAM and Lightburn: | ||
+ | |||
+ | 1. Install NoMachine (https://www.nomachine.com/). When proceeding through the instructions, do not install the server. If you already have NoMachine, no need to install it again. | ||
+ | |||
+ | 1. Connect to VPN. | ||
+ | |||
+ | 2. Open NoMachine. | ||
+ | |||
+ | 3. In the search box, connect to "192.168.15.194". | ||
+ | |||
+ | 4. Use your username and password. You will be prevented from logging in if someone else is using the computer. | ||
+ | |||
+ | 5. '''Important''': Make sure to unselect "Change the server resolution to match the client when I connect". If you choose this, you can mess up the remote desktop for other users. | ||
+ | |||
+ | 6. You are now presented with the Windows login. Login with the Hacksburg account, '''not your own.''' | ||
+ | |||
+ | 7. Do your work. | ||
+ | |||
+ | 8. Log out of the Hacksburg account using the start menu. | ||
+ | |||
+ | 9. Close the NoMachine connection by clicking on the top right corner, choosing the power button, and clicking "Exit the Player". | ||
+ | |||
+ | == Notes == | ||
+ | |||
+ | https://pve.proxmox.com/wiki/ZFS:_Switch_Legacy-Boot_to_Proxmox_Boot_Tool#Switching_to_proxmox-boot-tool | ||
+ | |||
+ | https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/ | ||
+ | |||
+ | http://www.datadisk.co.uk/html_docs/redhat/hpacucli.htm | ||
+ | |||
+ | === HP Server, Drive Replacement === | ||
+ | |||
+ | # Remote into the server: <code>ssh root@192.168.15.2</code> | ||
+ | # Confirm with ZFS that a drive has failed: <code>zpool status rpool</code>. One of the drives should be marked failed/offline/removed, something like that. | ||
+ | # Confirm on the front of the server that a drive has failed: look for the red light. Note the number of the drive that has failed. | ||
+ | # Open up the RAID controller utility: <code>hpacucli</code>. | ||
+ | # You are now in the command line for the RAID controller utility. Type <code>ctrl slot=0 show config</code>. This will take a while, and should confirm that one of your logicaldrives has failed. The logicaldrive number should match the numbered bay on the front of the server. | ||
+ | # Physically swap the drive: push the red button on the '''correct''' drive, pull it out, and push in the new drive until it clicks. '''WARNING: pulling the wrong drive at this moment will result in zfs redundancy failure and data loss.''' If you're really scared, shut down the computer first, and don't start it back up until you know you've swapped the correct drive. | ||
+ | # Now run <code>ctrl slot=0 ld <NUMBER> modify reenable forced</code>, where <code><NUMBER></code> is the bay number of the (previously) failed drive. This tells the RAID controller that everything's fine and it should just carry on with the new disk. | ||
+ | # Type <code>exit</code> to get out of the array configuration utility. | ||
+ | # Run <code>zpool status rpool</code> again, and now one of the drives should definitely be marked as <code>REMOVED</code>. Note the (very long) name of that drive in the left column. | ||
+ | # Replace the disk in ZFS: <code>zpool replace rpool <NAME> /dev/disk/by-id/<NAME-2></code>, where <code><NAME-2></code> is the same name as the drive, without any <code>-part3</code> suffix. For example, if <code><NAME></code> is <code>scsi-300320938420934-part3</code>, <code><NAME-2></code> should be <code>scsi-300320938420934</code>. I think this would be <code>-part9</code> if a previously replaced disk failed. The exact number is not important. | ||
+ | # ZFS is now rebuilding (resilvering) the failed disk. The server may be slow for the next several hours. You can run <code>zpool status</code> to check on the progress. It's remaining time estimation is wildly too low, don't rely on it. |
Latest revision as of 22:05, 5 December 2024
Ever wanted to learn about cloud computing, but were worried about monthly costs or confusing product options?
Wanted something new to learn that's stay-at-home compatible?
Hacksburg has computing resources on-site which members can use from anywhere.
Contents
What Hacksburg Offers
- Member Virtual Machines
- 2 cores, 6GiB RAM, 64GiB hard drive space
- Private IP address on Hacksburg's network. Laptops, Raspberry Pis, etc. can all communicate directly with each other.
- Public IPv6, so anyone on the Internet can connect to your server (subject to our firewall rules).
- Gigabit Internet connection
- *.<name>.cloud.hacksburg.org DNS wildcard
- HTTP(S) for DNS wildcard to your server(s)
- Colocation (bring your own server/Pi/etc.)
- Subject to power limits (please don't blow the breaker)
- Colocated servers also on Hacksburg network
- VPN
- Access your projects on Hacksburg's network from anywhere.
Hacksburg wants all members to explore computational projects using our resources. If there's something you think we can offer that isn't shown here, come to an open meeting or email board@hacksburg.org to discuss.
Want access?
- To get a virtual machine, make sure you're an active Hacksburg member, then email board@hacksburg.org
- VPN access will only be given if you are a board member, have a VM, or have some other reason. Email board@hackburg.org to request VPN access.
Hacksburg Physical Hardware
- Main Server
- HP ProLiant DL370 G6
- 2x Xeon E5530, 8 Core / 16 Thread
- 48GB of memory
- 4x Gigabit Ports
- 2x 10G SFP+ cages
- Fibre channel
- 8x 146GB 10K SAS in RAIDZ1 configuration (Total space reported: 1.06TB)
- Runs ProxMox VM hosting software
- Second Server
- IBM System x3650 M3
- 2x Xeon X5675, 12 Core / 24 Thread
- 96GB of memory
- 10x Gigabit Ports
- 2x Fibre channel
- Hard Drives TBD
- Will run ProxMox VM hosting software
- Sun Servers 1 and 2
- SunFire X4200
- Do not turn on the Sun Servers because they are unacceptably loud.
- Switch
- tp-link 8-port Gigabit switch, TL-SG108
Hacksburg Network Layout
- pfSense Router
- Internet comes in here
- 192.168.15.1
- Main Server
- ProxMox web interface for the main server. This is where you go to interact with your VMs.
- How to access: https://cloud.hacksburg.org
- Where it's located: 192.168.15.2
- Docker Host
- Runs NGINX reverse proxy. All HTTP(S) traffic at Hacksburg runs through this NGINX reverse proxy. Members can request forwarding to their containers.
- 192.168.15.3
- Containers:
- Jitsi Meet
- https://meet.hacksburg.org
- Hosts our open meetings and classes
- PeerTube
- https://video.hacksburg.org
- Hosts recordings of our classes
- Snipe-It
- https://assets.hacksburg.org
- Asset Management System for keeping tracks of tools, equipment, maintenance of equipment, etc.
- Jitsi Meet
- OctoPrint
- Control interface for our 3D printer.
- How to access: https://printer.hacksburg.org
- Where it's located: 192.168.15.4
VPN
VPN allows direct access to the Hacksburg network from anywhere else that has access to the public Internet. Email board@hacksburg.org to get your username and password.
Connection Instructions
Windows 10
These instructions may also work for Windows 8.1, 7, Vista, etc.
1. Download the Hacksburg certificate: http://hacksburg.org/Hacksburg+CA.crt.
2. Right-click and choose "Install certificate".
3. Choose "Local Machine" (second option) and click Next.
4. Choose "Place all certificates in the following store" (second option).
5. In the window that comes up, choose "Trusted Root Certification Authorities" (second option). Click OK.
6. Click Next.
7. Click Finish.
8. It should say that importing the certificate was successful. Click OK.
9. Open an administrator PowerShell and run the following commands:
Add-VpnConnection -Name "Hacksburg" -ServerAddress "cloud.hacksburg.org" –TunnelType IKEv2 -EncryptionLevel Required -AuthenticationMethod EAP -SplitTunneling –AllUserConnection Add-VpnConnectionRoute -ConnectionName "Hacksburg" -DestinationPrefix 192.168.15.0/24 -PassThru -AllUserConnection Add-VpnConnectionRoute -ConnectionName "Hacksburg" -DestinationPrefix 192.168.17.0/24 -PassThru -AllUserConnection Add-VpnConnectionRoute -ConnectionName "Hacksburg" -DestinationPrefix 192.168.18.0/24 -PassThru -AllUserConnection
You should now have a VPN named Hacksburg. Click the network icon in taskbar tray, click Hacksburg, and connect with the provided username and password.
Linux (and friends)
Setup
Install strongswan
. If you use NetworkManager (Ubuntu), you can use these instructions [1] and fill in the following values:
VPN Server IP: 216.252.204.76
VPN Username: Email board@hacksburg.org to request
VPN Password: Email board@hacksburg.org to request
If you do not use NetworkManager, add the following rows to your ipsec.conf
file. On Arch Linux, this file is located at /etc/ipsec.conf
:
conn Hacksburg keyexchange=ikev2 dpdaction=clear dpddelay=30s eap_identity="<USERNAME>" leftauth=eap-mschapv2 left=%defaultroute leftsourceip=%config right=cloud.hacksburg.org rightauth=pubkey rightsubnet=0.0.0.0/0 rightid=%any rightca=<CACERT> type=tunnel auto=add
Where <CACERT>
is replaced by the path to this file: http://hacksburg.org/Hacksburg+CA.crt and <USERNAME>
is replaced by the username issued to you by emailing board@hacksburg.org. Then, create the file /etc/ipsec.secrets
and include the following line:
<USERNAME> : EAP "<PASSWORD>"
Where the username and password are issued to you by emailing board@hacksburg.org. Then, run
# ipsec auto --add Hacksburg
Then, make sure /etc/xl2tpd/xl2tpd.conf
has the following contents:
lac Hacksburg] lns = 216.252.204.76 ppp debug = yes pppoptfile = /etc/ppp/options.l2tpd.client length bit = yes
And /etc/ppp/options.l2tpd.client
has the following contents:
ipcp-accept-local ipcp-accept-remote refuse-eap require-mschap-v2 noccp noauth idle 1800 mtu 1410 mru 1410 defaultroute usepeerdns debug connect-delay 5000 name <USERNAME> password <PASSWORD>
Again using the username and password you received from the board.
Start VPN
You can start the VPN by running:
# systemctl start strongswan # swanctl -i -c Hacksburg
Software Tools
You can remote in to Hacksblade to use SprutCAM and Lightburn:
1. Install NoMachine (https://www.nomachine.com/). When proceeding through the instructions, do not install the server. If you already have NoMachine, no need to install it again.
1. Connect to VPN.
2. Open NoMachine.
3. In the search box, connect to "192.168.15.194".
4. Use your username and password. You will be prevented from logging in if someone else is using the computer.
5. Important: Make sure to unselect "Change the server resolution to match the client when I connect". If you choose this, you can mess up the remote desktop for other users.
6. You are now presented with the Windows login. Login with the Hacksburg account, not your own.
7. Do your work.
8. Log out of the Hacksburg account using the start menu.
9. Close the NoMachine connection by clicking on the top right corner, choosing the power button, and clicking "Exit the Player".
Notes
https://sleeplessbeastie.eu/2017/03/06/how-to-use-hp-command-line-array-configuration-utility/
http://www.datadisk.co.uk/html_docs/redhat/hpacucli.htm
HP Server, Drive Replacement
- Remote into the server:
ssh root@192.168.15.2
- Confirm with ZFS that a drive has failed:
zpool status rpool
. One of the drives should be marked failed/offline/removed, something like that. - Confirm on the front of the server that a drive has failed: look for the red light. Note the number of the drive that has failed.
- Open up the RAID controller utility:
hpacucli
. - You are now in the command line for the RAID controller utility. Type
ctrl slot=0 show config
. This will take a while, and should confirm that one of your logicaldrives has failed. The logicaldrive number should match the numbered bay on the front of the server. - Physically swap the drive: push the red button on the correct drive, pull it out, and push in the new drive until it clicks. WARNING: pulling the wrong drive at this moment will result in zfs redundancy failure and data loss. If you're really scared, shut down the computer first, and don't start it back up until you know you've swapped the correct drive.
- Now run
ctrl slot=0 ld <NUMBER> modify reenable forced
, where<NUMBER>
is the bay number of the (previously) failed drive. This tells the RAID controller that everything's fine and it should just carry on with the new disk. - Type
exit
to get out of the array configuration utility. - Run
zpool status rpool
again, and now one of the drives should definitely be marked asREMOVED
. Note the (very long) name of that drive in the left column. - Replace the disk in ZFS:
zpool replace rpool <NAME> /dev/disk/by-id/<NAME-2>
, where<NAME-2>
is the same name as the drive, without any-part3
suffix. For example, if<NAME>
isscsi-300320938420934-part3
,<NAME-2>
should bescsi-300320938420934
. I think this would be-part9
if a previously replaced disk failed. The exact number is not important. - ZFS is now rebuilding (resilvering) the failed disk. The server may be slow for the next several hours. You can run
zpool status
to check on the progress. It's remaining time estimation is wildly too low, don't rely on it.